Google Warning Web Users of DNSChanger Malware Infections

Google is alerting users infected with DNSChanger malware that they should clean their computers or face possibly losing Internet access in July. The FBI issued a warning of its own about the malware in April.

Google is warning Web users infected with the DNSChanger malware that if they do not clean their computer before the FBI's impending deadline, they may lose access to the Internet.

Google said it plans to notify as many as 500,000 users that are still infected with the malware, which was used by a cyber-gang hit in a major takedown operation last year.

DNSChanger, as its name implies, altered the Domain Name System (DNS) settings on compromised computers so they pointed to rogue DNS servers operated by the group. The malicious servers would then alter search results and send users to rogue sites. Google started sending out the warnings May 22.

At its height, the malware infected more than 4 million machines, prompting the U.S. Department of Justice to launch "Operation Ghost Click." Following a two-year investigation, the FBI and other law enforcement agencies arrested several people for using the malware in a scheme to defraud the online advertising industry out of millions of dollars between 2007 and 2011.

After the operation, the government transferred control of the rogue DNS servers to the nonprofit Internet Systems Consortium so that machines that were part of the gang's botnet did not lose Internet access. The court order supporting the arrangement, however, expires July 9, and infected computers that havent been cleaned will have their service disrupted.

"Our goal with this notification is to raise awareness of DNSChanger among affected users," blogged Damian Menscher, security engineer at Google. "We believe directly messaging affected users on a trusted site and in their preferred language will produce the best-possible results."

The Google warning will come in the form of a message that will appear on the top of Google search results stating the user's computer is infected.

"At the current disinfection rate, hundreds of thousands of devices will still be infected when the court order expires on July 9 and the replacement DNS servers are shut down," Menscher blogged. "At that time, any remaining infected machines may experience slowdowns or completely lose Internet access."

"Some ISPs have been taking their own actions, a few of which will prevent our warning from being displayed on affected devices," he continued. "We also cant guarantee that our recommendations will always clean infected devices completely, so some users may need to seek additional help. These conditions aside, if more devices are cleaned and steps are taken to better secure the machines against further abuse, the notification effort will be well worth it."